Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the bank has done to protect the customers’ information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance.The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution.
The notice should include the following additional items, when appropriate:
• A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;
• A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;
• A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
• An explanation of how the customer may obtain a credit report free of charge; and
• Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft.15
The bank will notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.